projects / pve-access-control.git / blame
| Commit | Line | Data |
|---|---|---|
| 891f7afa FG |
1 | #!/usr/bin/perl -w |
| 2 | ||
| 3 | use strict; | |
| 4 | use PVE::Tools; | |
| 5 | use PVE::AccessControl; | |
| 6 | use PVE::RPCEnvironment; | |
| 7 | ||
| 8 | my $rpcenv = PVE::RPCEnvironment->init('cli'); | |
| 9 | ||
| 10 | my $cfgfn = "test8.cfg"; | |
| 11 | $rpcenv->init_request(userconfig => $cfgfn); | |
| 12 | ||
| 13 | sub check_roles { | |
| 14 | my ($user, $path, $expected_result) = @_; | |
| 15 | ||
| 16 | my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path); | |
| 17 | my $res = join(',', sort keys %$roles); | |
| 18 | ||
| 19 | die "unexpected result\nneed '${expected_result}'\ngot '$res'\n" | |
| 20 | if $res ne $expected_result; | |
| 21 | ||
| 22 | print "ROLES:$path:$user:$res\n"; | |
| 23 | } | |
| 24 | ||
| 25 | sub check_permission { | |
| 26 | my ($user, $path, $expected_result) = @_; | |
| 27 | ||
| 28 | my $perm = $rpcenv->permissions($user, $path); | |
| 29 | my $res = join(',', sort keys %$perm); | |
| 30 | ||
| 31 | die "unexpected result\nneed '${expected_result}'\ngot '$res'\n" | |
| 32 | if $res ne $expected_result; | |
| 33 | ||
| 34 | $perm = $rpcenv->permissions($user, $path); | |
| 35 | $res = join(',', sort keys %$perm); | |
| 36 | die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n" | |
| 37 | if $res ne $expected_result; | |
| 38 | ||
| 39 | print "PERM:$path:$user:$res\n"; | |
| 40 | } | |
| 41 | ||
| 42 | check_roles('max@pve', '/', ''); | |
| 43 | check_roles('max@pve', '/vms', 'vm_admin'); | |
| 44 | ||
| 45 | #user permissions overrides group permissions | |
| 46 | check_roles('max@pve', '/vms/100', 'customer'); | |
| 47 | check_roles('max@pve', '/vms/101', 'vm_admin'); | |
| 48 | ||
| 49 | check_permission('max@pve', '/', ''); | |
| 50 | check_permission('max@pve', '/vms', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console'); | |
| 51 | check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt'); | |
| 52 | ||
| 53 | check_permission('alex@pve', '/vms', ''); | |
| 54 | check_permission('alex@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt'); | |
| 55 | ||
| 56 | check_roles('max@pve', '/vms/200', 'storage_manager'); | |
| 57 | check_roles('joe@pve', '/vms/200', 'vm_admin'); | |
| 58 | check_roles('sue@pve', '/vms/200', 'NoAccess'); | |
| 59 | ||
| 60 | check_roles('carol@pam', '/vms/200', 'NoAccess'); | |
| 61 | check_roles('carol@pam!token', '/vms/200', 'NoAccess'); | |
| 62 | check_roles('max@pve!token', '/vms/200', 'storage_manager'); | |
| 63 | check_roles('max@pve!token2', '/vms/200', 'customer'); | |
| 64 | ||
| 1bd10ecf FG |
65 | # check intersection -> token has Administrator, but user only vm_admin |
| 66 | check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console'); | |
| 67 | ||
| 891f7afa FG |
68 | print "all tests passed\n"; |
| 69 | ||
| 70 | exit (0); | |
| 71 |